Comprehensive and Detailed In-Depth Explanation:
CMMC practice AU.L2-3.3.6 – Reduction & Reporting requires organizations to "provide audit reduction and report generation capabilities to support after-the-fact investigations without altering original records." The objectives are: [a] reducing audit records by filtering non-essential data, and [b] generating reports for analysis. Splunk, a SIEM tool, is deployed, and the assessor must evaluate its alignment with these goals.
Option C: Filter rules for reduction and analysis/reporting processes– This directly addresses the practice’s core requirements: reducing logs (e.g., filtering noise) and generating meaningful reports (e.g., anomaly detection, summaries). These features ensure Splunk meets AU.L2-3.3.6’s intent, making it the key focus.
Option A: RBAC for access restriction– Relevant to AU.L2-3.3.8 (Audit Protection), not reduction/reporting; it’s a security control, not a capability of this practice.
Option B: Retention time– Pertains to AU.L2-3.3.2 (Audit Retention), not reduction/reporting functionality.
Option D: Compliance dashboards– Useful but not required by AU.L2-3.3.6; the focus is on reduction and reporting, not real-time compliance visibility.
Why C?The CMMC guide specifies assessing tools for reduction (filtering) and reporting (analysis/report generation), and Splunk’s effectiveness hinges on these features, per the scenario’s SOC context.
Extract from Official CMMC Documentation:
CMMC Assessment Guide Level 2 (v2.0), AU.L2-3.3.6: "Examine tools for capabilities to [a] reduce audit records by filtering non-essential data, and [b] generate reports identifying anomalies and summarizing data."
NIST SP 800-171A, 3.3.6: "Assess reduction and reporting functions, such as filtering and customized report generation."
Resources:
Submit